/r/digitalforensics

Photograph via snooOG

Links related to the art and science of digital forensics and investigations

/r/digitalforensics

11,949 Subscribers

6

NTFS FILE Record Reuse (X-Post)

A new 13Cubed episode is now available. In this continuation of "Anatomy of an NTFS FILE Record," we'll learn how NTFS manages record reuse and distinguishes between in-use and deleted files and directories.

https://www.youtube.com/watch?v=6LpJVx7PrUI

0 Comments
2024/12/02
12:48 UTC

0

Two videos, same camera?

I have two iPhone videos received via WhatsApp

Both are 848x480 as received

Video 1 is 3.9mb and 23 second (0.17mb/s)

Video 2 is 5.3mb and 29 second (018.2mb/s)

Does this suggest these are taken by different cameras?

Could this be different versions of iPhone?

Or the difference in quality from using front vs rear camera?

Or simply a result of WhatsApp downsizing videos?

Is there another way to tell if videos come from the same camera?

3 Comments
2024/12/02
12:16 UTC

2

Messenger log-out forensics(ex: insta, FaceBook messenger)

I have a question If I used account A to chat with my phone, log out, log in to account B to talk to people, and log in to account A again to use it, can I extract the conversation I had with account B when forensics my phone? For example, Instagram or Facebook messenger.

My phone is iphone 13 , ios17.5.1

3 Comments
2024/12/01
14:50 UTC

5

When is cellebrite going to fix the answered calls error

Recently defense attorneys have been using the cellebrite report to claiming witnesses are lying about not answering calls, cellebrite seems to be faulty, as the other person’s logs show the call was in fact not answered! Why are cellebrite allowing this to continue? Not every witnesses log is going to be in evidence.

6 Comments
2024/12/01
02:43 UTC

3

Career advice for LEO?

I have been working in digital forensics for a law enforcement agency in the united states for three years. I have experience with adf and axiom. Im looking for advice on how i would break into the private sector. What certifications are worth it? What kind of jobs can i possibly transition too? Thank you in advance to anyone who takes their time to read this

9 Comments
2024/12/01
02:32 UTC

3

Uninstalled app

What data can be recovered after uninstalling an app on a iPhone?

2 Comments
2024/11/30
18:48 UTC

4

career advice needed ...

I am 2nd year student doing forensic science as my bachelors degree. I want to pursue my career in digital forensics. what are skill sets required and how can i work on them ..and any advices?

15 Comments
2024/11/29
16:37 UTC

15

CacheGrab

Just finished another tool I wanted to share: CacheGrab. You can use this to parse files from any program's cache directory. The interface allows you to select which specific file types you want to search for and specify where you want them output to.

More details on how it works, along with a demonstration and download link below:

https://wise-forensics.com/2024/11/29/cachegrab/

0 Comments
2024/11/29
07:20 UTC

1

(Suspicious?) Meta Data Question

For a particular case I have 3 screenshots (no access to the actual file) of the Created timestamp (meta data) for 3 apparently different PNG files:

  1. 18 Sept 2023 10:23:22AM

  2. 18 Sept 2023 10:23:22AM

  3. 20 Sept 2023 10:23:22AM

Then I have another set of 6 screenshots (not files) with the Created timestamp for PNG files:

  1. 18 Aug 2023 10:23:24AM

  2. 18 Aug 2023 10:23:24AM

  3. 18 Aug 2023 10:23:24AM

  4. 18 Aug 2023 10:23:24AM

  5. 19 Aug 2023 10:23:24AM

  6. 18 Aug 2023 10:23:24AM

I am a novice in this space so my questions are:

  1. Is it possible to have a "Created" timestamp (to the second) of 2 or more files?

  2. Surely it's not possible to have the same TIME but a different day?

Feel free to ask any questions that might clarify your thoughts.

3 Comments
2024/11/29
03:22 UTC

14

Jump List Parsing Tool

Recently I posted about a tool I created called Windows Artifact Viewer. I just added a powerful new feature you might be interested in. It can now parse Jump List files. For those of you who don't know what jump lists are, it's very similar to the "Recent Items" folder, except a bit more detailed. It sorts recent items by application, so if you find the jump list associated with a specific application, it shows you all of the recent files opened using that particular program. It's great for things like "I want see every Microsoft Word document this user opened" or "I need to see every video this person watched using this particular application".

The Jump List parsing page looks like this:

https://preview.redd.it/qylmb906ym3e1.png?width=1326&format=png&auto=webp&s=e6af25e3e30e86762b2d95cf7945141ca398a282

All you have to do is select a drive (either local or a mounted disk image) and a user. Then the "Applications" dropdown box will populate with a list of applications that have link files associated with them. After you've selected an application and clicked on "Parse Artifacts", it will output the path to the file, creation date, modification date, and last accessed date to a text file.

This feature was a bit more difficult to implement since I needed to reverse engineer the data structure of the jump list files to figure out how to parse everything properly. For that reason, on some occasions the output is a little bit buggy, but for the most part it works perfectly.

More info on Windows Artifact Viewer and download link: https://wise-forensics.com/2024/09/16/windows-artifact-viewer/

2 Comments
2024/11/28
12:32 UTC

0

Short domain 4n6.pro for forensic projects

I have the domain 4n6.pro, which could be a good fit for anyone in the forensic or digital forensics field. Just sharing in case it's useful for a project or website. Feel free to reach out if you're interested or want more info!

3 Comments
2024/11/26
15:31 UTC

19

Windows Artifact Viewer GUI

I recently made a post on here showcasing some digital forensics tools that I wrote in python. Out of all those tools, the only one I hadn't yet created into a GUI was Windows Artifact Viewer. Well, I finally got around to it, and I finally have an early version of it out that I'd like to share.

Windows Artifact Viewer is a simple program that will automatically search a local computer or mounted disk image for artifacts and then parse them for you. At the moment, it can parse a few file artifacts and internet artifacts, but I plan on adding more capabilities soon. The CLI version of this was able to parse the registry, but I removed that feature from the GUI since my other program, RegEasy, is able to parse the Windows registry very thoroughly. I'm pretty happy with how it has turned out so far. It's still in the early stages, so if you find any bugs, please DM them to me so I can fix them. You can check out the tool here:

https://wise-forensics.com/2024/09/16/windows-artifact-viewer/

2 Comments
2024/11/26
07:00 UTC

0

Cheating Wife? suspicious items in ~/Library/Application Support/Mobile Sync/Backup

Posted in r/MacOS and they suggested I ask here.

Without going in to too much detail, I think my wife might be cheating and I am gathering evidence. I found what appears to be search queries of a suspicious nature on her computer in ~/Library/Application Support/Mobile Sync/Backup. This file contains a list of thousands of items each item followed by a number, for example:

pink sweater 4.5751
goth jewelry 4.5751
diy dessert table 4.5751

Some suspicious examples I found:
what to say to your crush 4.5879
being the other woman 4.5831
forbidden love affair 4.5831
mistress quotes being the 4.5902

There are many more. You get the picture.

Here's my question: Could this just be a default list? Or are they necessarily searches she made?

UPDATE:
I appreciate all the relationship advice, but that's not why I posted here. My mistake for incorporating salacious info. Simply looking for an answer pertaining to the file in question. Thanks to PotencijalNaKvadrat I believe I have the answer I was looking for.

6 Comments
2024/11/25
20:31 UTC

0

Axiom Portable Case Assistance

Hello, I have a Uni assignment using axiom portable case, I'm very much confused on it and my professor hasn't been much help. Does anyone have some downtime to help me out with the assignment on call?

16 Comments
2024/11/23
11:30 UTC

10

is digital forensic still a viable career option?

might be a dumb question, but is there any reason for me not to take a digital forensic degree? im going to be starting uni in 2025

12 Comments
2024/11/22
03:06 UTC

3

Alternatives to FOR518 course?

Does anyone know any alternative courses for FOR518: Mac and iOS Forensic Analysis and Incident Response? Mainly looking for a less expensive option. Does not have to be SANS.

5 Comments
2024/11/21
18:53 UTC

47

Some Useful Forensic Tools I Made

I recently created a few useful forensic tools in python that I wanted to share with you guys. Everything is free and open source.

RegEasy

This software, inspired by RegRipper, provides a way to intuitively extract relevant information from the Windows registry. Each page provides an option to parse a specific registry file. Once you're on the page that corresponds to the registry file you want to parse, you'll have two options:

  1. Select a drive: For this option you can select any drive connected to your computer, and the program will automatically search that drive for the specified registry file to parse the information for you.
  2. Select a registry file: If you have already extracted the registry file you want to parse, then you can use this option to select that registry file directly.

From here, you will be able to select from the checkboxes available to extract whatever information you need.

Link: https://wise-forensics.com/2024/11/16/regeasy/

TrailBytes

Follows the breadcrumbs from any selected user on a computer or mounted disk image. All you need to do is start the program, set a time zone, then select a user, and the program will grab artifacts relevant to that user's activity on the computer and put it together in an ordered timeline. This way you can closely follow exactly which files a user interacted with and when.

Link: https://wise-forensics.com/2024/11/06/trailbytes/

Windows Artifact Viewer

The purpose of this program is to automatically search a device for any Windows artifacts and then parse them. For each artifact, it will only parse the basic, but essential information in them. Think of it like a general overview of each artifact. This will make it so that even someone with nearly zero forensic knowledge can at least get a general idea of what is in each artifact without needing to know how to actually analyze those artifacts themselves. If this program returns information from an artifact that looks important, then it would be useful to use a tool that can do an in-depth analysis of that artifact to get more information.

Link: https://wise-forensics.com/2024/09/16/windows-artifact-viewer/

LSB Steganography

Hides messages inside of images using a key to randomly select the pixels which will store the encoded message.

Link: https://wise-forensics.com/2024/09/15/lsb-steganography/

Some of this software may get falsely flagged as malware, as this tends to happen when using PyInstaller to compile the code into an executable. Like I said before, the source code is public for all of these programs, so you can check out the code to see nothing malicious is going on. Hopefully you guys can find good use with these!

Edit:
If you find any bugs in any of this software, please DM me so I can fix it. Thanks!

13 Comments
2024/11/21
04:53 UTC

1

Question about employee directory

My cousin was engaged to a guy. He was found cheating on her and the wedding was called off. Since he is a narcissitic ah, so she shifted to another city and changed her numbers, emails and everything and got a job in a new company. She got a call from him very late at night on her new number. He seemed to be high and when she asked how he got her number, he said that he has friends in the company who checked her number from the office employee directory. Her office uses microsoft 365 and there is indeed a directory to check contact information about all employees. Is it possible to know which employee looked up her details? Which department will have that information in the company? Will they share that information with her? Or does she need to involve the authorities? She spoke with the hr but they didn't get back to her.

4 Comments
2024/11/20
19:44 UTC

1

Need help on Assembly language

Hi guys, anyone here active that can help me on my capture the flag activity? I wanna understand looking into assembly, in IDA tool. would gladly appreciate the help

2 Comments
2024/11/20
17:02 UTC

14

Advice for Police Digital Forensics Job

Hello all,

I recently received an offer to work for a police department as a Digital Forensics Examiner. I've been working in IT for the past two years and have a bachelor's and master's in Digital Forensics, but I do not have much work experience in the field. Does anyone who has worked for a police department have any advice for me before I start? Any advice is greatly appreciated.

Thank you!

29 Comments
2024/11/18
22:52 UTC

2

What are the odds of recovering these messages?

I deleted some texts from from an iPhone 6s, and I also have some deleted emails from a gmail account that I would like to recover.

Both sets of messages were deleted in June of this year.

They contain evidence of a crime.

Is it possible to recover these, and how could I do it?

6 Comments
2024/11/17
20:10 UTC

16

Surprised with results

Sent my iPhone 13 to data rescue labs near Toronto. I had deleted about 20 photos/videos from the phone. They used cellbrite Premium to do a full file system extraction, no photos found, no cache or thumbnails in the file system. The iPhone was running iOS 16, had a chat with one of the owners and the man who performed the extraction. He said since iOS 15 Apple is clearing these cache and thumbnails very quickly unlike on android, said anything deleted from a modern iOS and iPhone is non recoverable even with law enforcement tools.

31 Comments
2024/11/15
00:25 UTC

1

MSc digital forensic

Hey all I’m planning to join in cranfield university in uk If any one have any idea about that university plz say anything I don’t have anything about that few of my friends said that it was best university so I’m going if anyone knows plz dm me or reply Karo

4 Comments
2024/11/14
06:01 UTC

0

Help Me!

Hi. How do use Timeliner to analyze a memory dump file. For example if I have a file named memdump.mem, how do I install and use timeliner tool against this file? What’s the syntax ?

4 Comments
2024/11/13
02:50 UTC

1

Chances of data recovery?

I'm helping a client but don't have the requisite experience with DF. What are the chances of recovering WhatsApp messages from iPhone 10 iOS 14.2 16G phone which is not password protected and where the messages were deleted in 2019 and phoned used for a year after that? I understand the majority of data will be overwritten? Second Q- what are the chances for cell site analysis or Apple Maps destination to pinpoint mobile to a certain location (sim is present)? TIA

3 Comments
2024/11/13
01:45 UTC

1

FTK Imager on USB

Hi, I’m a CS student looking to get into digital forensics. I was talking to an acquaintance that suggested that I learn FTK Imager, and upon doing some research, it seems common to install and run the software from a flash drive. I’m wondering if anyone has any suggestions for good flash drives to use, seeing as the one I’m using right now (the ones in the checkout line at microcenter) is extremely slow. Any other advice would be much appreciated. Thank you!

8 Comments
2024/11/11
03:12 UTC

Back To Top